DET0263 Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms

Item	Value
ID	DET0263
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1213.003 (Code Repositories)

Analytics

SaaS

AN0732

Anomalous or bulk download activity from private or restricted repositories by non-developer or privileged accounts, often preceded by unusual login behavior (e.g., unfamiliar geo, OAuth token use, elevated API rate).

Log Sources

Data Component	Name	Channel
Cloud Service Metadata (DC0070)	saas:github	repo.download, repo.clone, oauth.authorize, repo.getContent
Logon Session Creation (DC0067)	saas:github	Login from unusual IP, device fingerprint, or location; access token creation from new client
Application Log Content (DC0038)	saas:github	Bulk access to multiple files or large volume of repo requests within short time window

Mutable Elements

Field	Description
TimeWindow	Threshold for file access volume over short duration (e.g., 10+ repos accessed in <5 min)
UserContext	Role or permission profile expected to interact with repositories (e.g., developers vs. admins)
GeoAnomalyThreshold	Distance or variance allowed before a login is flagged as anomalous
RepoSensitivityTag	Whether a repository is labeled sensitive or restricted